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Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 1 33). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1 )S Responsive to communication(s) filed on 02 March 2005 . 
2a)S This action is FINAL. 2b)D This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayfe, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) ^ Claim(s) 1-29 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) E3 Claim(s) 1-9.14-16.18.20.22-24.26 and 28 is/are rejected. 

7) M Claim(s) 10-13.17.19.21.25.27 and 29 is/are objected to. 

8) Q Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10)D The drawing(s) filed on is/are: a)D accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 

Replacement drawing sheet(s) including the correction is required jf the drawing(s) is objected to. See 37 CFR 1 .121(d). 
1 1 )□ The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12)D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 19(a)-(d) or (f). 
a)D All b)D Some * c)D None of: 

1 D Certified copies of the priority documents have been received. 

2. Q Certified copies of the priority documents have been received in Application No. . 

3. Q Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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2) [Zl Notice of Draftsperson's Patent Drawing Review (PTO-948) 
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DETAILED ACTION 

1 . Claims 1-29 are pending. 

Claim Objections 

2. Claims 10-13, 17, 19, 21, 25, 27, 29 objected to as being dependent upon a rejected base 
claim, but would be allowable if rewritten in independent form including all of the limitations of 
the base claim and any intervening claims. 

Response to Arguments 

3. Applicant has argued (page 22, Arguments - page 24, response to the rejection under 35 
USC 102) 

"Unlike the present invention, Schuba does not teach a transmit module to receive outgoing 
packets form a software application and discard the outgoing packets determined to be from a 
zombie application prior to being transmitted over a network. Schuba also does not teach or 
suggest a monitor module in communications with the transmit module. . .to track transmit packet 
patterns from. . .the software application and to determine whether the software application is the 
zombie application based upon the transmit. . .package patterns." 

The Applicant appears to seek to distinguish over the prior art by emphasizing the point at which 
the network receives and identifies dangerous zombie packets. However, the Examiner contends 
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that such distinction is not only obvious, but remains highly subjective to interpretation. The 
"incoming" aspect of a packet or the "outgoing direction" do not preclude each other. For 
Example, an incoming packet to one entity is also an outgoing packet to another entity. The 
analogy can be made with cars. Applicant's distinction is similar to a statement arguing that a 
car is coming and not going, or going but not coming. 

Furthermore, the Examiner contends that the term "transmit pattern" or "receive pattern" is also 
subject to a large degree of interpretation. Any scanning or detection or analysis of packets may 
be considered an analysis of the transmit patterns or receive patterns. Schuba et al. in particular 
states that a S YN packet sequence is observed. Because this obviously applies to a plurality of 
packets, the Examiner would contend that a pattern of analysis is "tracked". As mentioned 
above, any packet sequence necessarily involves both an "incoming" attribute as well as an 
"outgoing" attribute simply depending on point of view. 

The Examiner is required to read the claims in light of the specification with the broadest 
reasonable interpretation that is consistent with the art. There is an important distinction 
however, with reading the claims in light of the specification and reading the limitations of the 
specification into the claims. 

Claim Rejections - 35 USC §102 
4. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 
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A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language. 

5. Claims 1, 14, 22 are rejected under 35 U.S.C. 102(e) as being anticipated by Schuba et 
al, US patent 6,725,378. 

In reference to claim 1 : 

Schuba et al discloses a system for detecting and restricting denial of service attacks, 
comprising: 

• A transmit module to receive outgoing packets from a software application and discard 
the outgoing packets that are determined to be from a zombie application prior to being 
transmitted over a network, where the zombie application packets are discarded since the 
connection will be closed. (Column 8, lines 18-32) 

• A receive module to receive incoming packets from a network interface and to discard 
the incoming packets that are determined to be from a zombie application, where the 
packets received are refused since the connection is closed. (Column 8, lines 18-32) 

• A monitor module in communications with the transmit module and the receive module 
to track transmit patterns from and receive packet patterns to the software application and 
to determine whether the software application is the zombie application based upon the 
transmit and receive packet patterns. (Column 11, line 65 - Column 12, line 32) 
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In reference to claim 14: 

Schuba et al. discloses a method of detecting and restricting denial of service attacks comprising: 

• Monitoring incoming and outgoing packets to and from a software application, where the 
monitored packets are the monitored data streams. (Column 9, lines 15-32) (Column 5, 
lines 58 - Column 6, line 8) 

• Placing the software application on a zombie list or a watch list when a pattern of the 
incoming or outgoing packets to or the software application matches that of the 
characteristics of a zombie application, where the zombie list is the list (Column 6, lines 
30-37) from where the hosts have a rank. (Column 11, lines 8-15) 

• Blocking reception and transmission of packets to and from the software application 
when the software application has been placed on the watch list or the zombie list in a 
previous cycle and the software application further exhibits the characteristics of a 
zombie application. (Column 11, line 65 - Column 12, line 32) 

Claim 22 is rejected for the same reasons as claim 14. 



Claim Rejections - 35 USC §103 
6. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 
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7. Claims 2-9, 15-16, 18, 20, 23-24, 26, 28 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Scuba et al. in view of Porras et al., US patent 6,321,338. 

In reference to claim 2: 

Scuba et al. fails to explicitly disclose the system recited in claim 1, wherein said the 
monitor determines that the software application is the zombie application by identifying that the 
software application is transmitting a large number of packets without receiving any packets and 
placing the software application on a zombie list or a watch list. 

Porras et al. (Column 13, lines 30-49) however, discloses a monitoring system wherein an 
application is determined to be bad by identifying that the software application is transmitting a 
large number of packets without receiving any packets and placing the software application on a 
zombie list or a watch list, where the large number of packets is transmitted without receiving 
packets when ratio of packets received to packets sent is unusually unbalanced. 

Porras et al. (Column 2, lines 42-53) teaches that an advantage is provided with the 
monitoring system in that it protects the network from intrusion, as well as detecting abnormal 
activity without requiring an administrator to catalog each type of attack on the network, 
allowing for some protection even when attacks have not yet been described by an administrator. 

It would have been obvious to one of ordinary skill in the art at the time of invention to 
use the software monitor of Porras et al. as the monitor of Schuba et al. in order to provide 
greater protection for attacks that an administrator has not yet cataloged. 
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Claim 3, 15, 20, 23, 28 is rejected for the same reasons as claim 2. 

In reference to claim 4: 

Scuba et al. fails to explicitly disclose the system recited in claim 1, wherein the monitor 
determines that the software application is a possible zombie application by identifying that the 
software application is not receiving any packets and placing the software application on a watch 
list. 

Porras et al. (Column 6, lines 10-25) discloses a monitoring system where the application 
is bad by identifying that the software application is not receiving any packets and placing the 
software application on a watch list, where the software is "profiled" as an anomaly when an 
abnormal loss of received packets is detected. 

Porras et al. (Column 2, lines 42-53) teaches that an advantage is provided with the 
monitoring system in that it protects the network from intrusion, as well as detecting abnormal 
activity without requiring an administrator to catalog each type of attack on the network, 
allowing for some protection even when attacks have not yet been described by an administrator. 

It would have been obvious to one of ordinary skill in the art at the time of invention to 
use the software monitor of Porras et al. as the monitor of Schuba et al. in order to provide 
greater protection for attacks that an administrator has not yet cataloged. 

In reference to claim 5: 
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Scuba et al. fails to explicitly disclose the system recited in claim 4, wherein the monitor 
module alerts the user and the transmit module and receive the module that the software 
application is the zombie application when the software application has previously been placed 
on the watch list and the software application is now transmitting a large number of packets. 

Porras et al. (Column 13, lines 60-65) discloses a monitoring system where the 
application is bad by identifying that the software application is not receiving any packets and 
placing the software application on a watch list, where the traffic is marked as malicious traffic if 
the application was receiving little or few packets, and is now transmitting a large number of 
packets. 

Porras et al. (Column 2, lines 42-53) teaches that an advantage is provided with the 
monitoring system in that it protects the network from intrusion, as well as detecting abnormal 
activity without requiring an administrator to catalog each type of attack on the network, 
allowing for some protection even when attacks have not yet been described by an administrator. 

It would have been obvious to one of ordinary skill in the art at the time of invention to 
use the software monitor of Porras et al. as the monitor of Schuba et al. in order to provide 
greater protection for attacks that an administrator has not yet cataloged. 

Claims 6,8, 16, 18, 24, 26 are rejected for the same reasons as claim 4. 
Claims 7, 9 are rejected for the same reasons as claim 5. 



Conclusion 
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8. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy 
as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of the final action and the advisory action is not mailed under after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension pursuant to 37 CFR 
1 . 1 36(A) will be calculated from the mailing date of the advisory action. In no event, however, 
will the statutory period for reply expire later than SIX MONTHS from the mailing date of this 
final action. 

9. Any inquiry concerning this communication from the examiner should be directed to 
Thomas M Ho whose telephone number is (571)272-3835. The examiner can normally be 
reached on M-F from 9:30 AM - 6:00 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Gregory A. Morse can be reached on (571)272-3838. 

The Examiner may also be reached through email through Thomas.Ho6@uspto.Rov 

Any inquiry of a general nature or relating to the status of this application or proceeding should 
be directed to the receptionist whose telephone number is (571)272-2100. 

General Information/Receptionist Telephone: 571-272-2100 Fax: 703-872-9306 
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Customer Service Representative Telephone: 571-272-2100 Fax:703-872-9306 



TMH 

June 26 th , 2005 



